This statement underpins the policies, promises and contracts we make with organisations and users relating to the data processed by DataExchange.
In conjunction with this document, you should read the Glossary of Terms used within this statement, and also elsewhere on our site.
Last updated: 05 September 2017
Privacy and security are at the heart of everything we do at DataExchange. This statement explains the key measures we’ve put in place to ensure that data is kept secure and processed appropriately at all times. It also covers our commitments to our users, and what we expect from organisations in terms of privacy and data protection.
For further detail, please refer to our full Terms of Service.
- Process data for purposes necessary to provide the DataExchange service and services explicitly deployed to your organisation.
- Adhere strictly to the terms of the Data Protection Act 1998 and the General Data Protection Regulation 2018 and any future amendments or applicable legislation.
- Only store and process the minimum data required to provide access to DataExchange and its applications, and to inform you in advance what data that application requires.
- Transport and store all data originating from schools using modern and best practice encryption technologies. This includes Secure Socket Layers (SSL/TLS) for encrypted data transfer over the internet, encryption of all data at rest, field-level encryption for personally identifiable data and password-protected identities for all end users
- Comply with all Subject Access Requests made relating to the data we store as data controller. Subject Access Requests for data that we process as a data integrator should be directed to the data provider.
- Only retain data for as long as required.
- Always maintain adequate liability insurance.
- Report any breaches of security to the data controller, the Information Commissioner’s Office (ICO) and other authorities if required by law, and, in co-operation with the data controller, to data subjects.
- Always notify an organisation prior to deploying an application, inform the organisation what data is required, and allow the request to be accepted or rejected.
We DO NOT
- Store or transport personal or sensitive data outside of the UK, EU or outside of countries which are granted to have Adequate Levels of Protection as defined by the European Commission where the data originates within such a country.
- Share data with third parties except where explicitly requested by the data controller or required by law.
- Claim ownership or exclusive rights over any of the data processed or created as part of services provided to an organisation.
Security and Encryption
We take every reasonable measure to ensure we store data securely. DataExchange is developed using secure technologies, which include, but are not limited to the following:
- All data transmissions to and from DataExchange are encrypted using modern SSL/TLS protocols and ciphers.
- Encryption at rest i.e. when stored on a disk.
- Field level encryption, where we feel it necessary to do so.
- Encrypted passwords and role-based access controls are used to access DataExchange
- All servers are situated in secure locations that comply with the Data Protection Act 1998
Staff access to data
DataExchange does not look ‘under the hood’ or inspect any of the data we store. The only exceptions to this are where an organisation has explicitly given us permission to do so; for example, to provide technical support to correct a technical problem. This permission is given on an ‘as needed’ basis and the ability to access the data is revoked once the technical problem is resolved.
All our staff, including contractors, are required to agree to strict confidentiality and non-disclosure clauses in their employment contracts.
Deleting and Retaining Data
DataExchange retains data for as long as necessary to provide an organisation access to their services. If an organisation. We will also delete personal data if we detect that an account has been inactive for a significant amount of time.
DataExchange and Applications
Organisations are responsible for accepting any terms and conditions of third party (vendor) applications.
Before we allow data interchange (exchange) between parties through DataExchange require all parties involved to sign appropriate data sharing agreements that define the scope of data transfer/access. These agreements can be revoked at any time by any party.
General Website Privacy
If you are a registered user of the DataExchange website, or have expressed interest in DataExchange on the DataExchange website, and have supplied your email address, we may occasionally send you an email to tell you about new features, ask for feedback or keep you up to date with our products. If you no longer wish to be included on these communications, then please either use the unsubscribe link at the bottom of our emails, or email firstname.lastname@example.org and we will remove you from the list.
Third Party Websites
We cannot be responsible for the privacy policies and practices of other sites even if you access them using links on our website. We recommend that you check the policy of each site you visit and contact the owner or operator if you have any questions or concerns.
A cookie is a piece of data stored on your computer, mobile phone or tablet when you visit a website. It's stored within your website browser, and then subsequently sent back to the same website by your browser. The cookie helps the website to recognise your specific browser and computer when you return.
||Token generated for the session to prevent Cross-site request forgery.|
||The ID of your current session on dataexchange.education|
||Used for authentication on dataexchange.education.|
||Session cookie for Stripe, persists for 1 year, a secure online payment gateway|
||Session cookie for Stripe, persists for 30 minutes, a secure online payment gateway|
||Google Analytics, persists for 2 years, used to distinguish users for the purpose of site metrics.|
||Google Analytics, persists for 24 hours, used to distinguish users for the purpose of site metrics.|
||Google Analytics, persists for 1 minute, used to throttle request rates.|
Questions or Grievances
Questions or grievances in relation to security or privacy should be emailed to email@example.com.